We Aren’t Ready For Smart Cities

But one day we will be …

We live in a very exciting age regarding technological innovations. Not only are new solutions finding their way into reality, they actually have a big impact on society in various ways. Cities worldwide are considering (and even implementing) smart city solutions to their problems. Although the upcoming technology to come seems very exciting to me, I am of the opinion that both the government and citizens need to put more thought into the cybersecurity aspect before implementing more smart city solutions.

The Smart City

The term ‘Smart city’ is still an abstract term and could mean different things to different people working in different sectors. My definition of smart city is in line with one of the key findings of the EU:

“…, a Smart City is a city seeking to address public issues via ICT based solutions on the basis of a multi-stakeholder, municipally based partnership.” (Manville, et al., 2014)

To keep it simple: any technological solution to a problem that can be addressed within a city. Those problems can be big or small (e.g. climate change and environmental issues to making the playground more fun). To achieve a certain goal different services, companies and means of transport will be connected to each other. Although there are many different frameworks for what a smart city ought to be, most of them include six abstract areas that are also included in the EU report. These areas are: smart governance, smart economy, smart mobility, smart environment, smart people and smart living.

All of the aforementioned areas have to do with enhancing our current environment and lifestyle with technology. To get a better understanding of what a smart city is, or what I refer to when I refer to a smart city, it is important know how the EU report defines these areas.

* Smart governance is primarily focussed on the city but also seeks a national and international connection to other cities. Organisations operating from the government should be able to connect services and interactions where necessary. Both the connections within and beyond the city can be achieved by information infrastructures, software or even hardware. Objectives for the smart government are providing transparency by sharing open data and encouraging civilians to participate in decision making.

* Smart economy is not just e-business and e-commerce. The smart economy wants to enable increased productivity, advanced manufacturing, advanced delivery of services, innovation, new business models and new products and services. By using technical solutions new smart economic clusters and eco-systems should form.

* Smart mobility should improve the transport and logistics systems for various means of transportation like busses, trains and cars. The goal is to make sure that citizens do not have to waste time in traffic and that all transportation is as efficient as possible. Besides that a smart city should find non-motorised solutions to transportation to reduce CO2 emissions.

* Smart environment is anything that enables improvement of environmental conditions and the reduction of waste and CO2 emissions. This includes the use of renewable energy and green urban planning. Services like street lighting, waste management and water

management should be monitored to make sure these services are used in a way that not detrimental to the environment.

* Smart people are regular citizens who are able to work in a technologically improved workspace. They have access to education and training, human resources and capacity management. People are enabled to use, manipulate, store and personalize data. This could help citizens make decisions or offer services and products.

* Last but not least smart living should enable citizens to use technology to improve their life styles, behaviour and consumption. The goal is include all citizens into society and spark social cohesion. Living healthy and save in good quality housing is also very important when it comes to smart living.

Government and Security

Because of the current and more frequently occurring terrorist attacks in western countries governments feel the need to protect themselves as a nation. This means safety before privacy which usually concludes into (intense) state surveillance. The 8,761 confidential documents WikiLeaks released not too long ago in a collection they call ‘Vault 7’ demonstrates the alarming extend the C.I.A. is able to spy on citizens in the U.S. and across the world. This includes turning regular connected devices like smartphones, computers and smart TVs into listening devices by sending malware or using zero day vulnerabilities (Anonymous, 2017). Current mainstream devices and operate systems can already be hacked by the government, why is that a problem?

A paper discussing the difference in interests between the government and its citizens regarding cyber security sheds light on very interesting insights. By securing the state with mass surveillance, looking for and creating backdoors, citizens are actually less safe on an individual level (Cavelty, 2013). Backdoors that are discovered by the government can essentially be detected by anyone. Leaks or discoveries like Vault 7 could mean that information about backdoors on devices used by millions of citizens can easily fall into the wrong hands if it is not protected properly. On the other hand the government could detect early signs of (cyber)terrorism and prevent attacks. The government is creating both more and less safety for its citizens. But what does that mean for a (future) smart city?

IoT and security

In order to create a smart city that will make living more convenient a lot of data will have to be connected in the background and made available within the entire city. Collecting big data on citizens is not new but a lot of loose ends will have to be connected. But making your life more convenient comes at a cost. It will be easier for the government to track civilians and they will gain far more information about them in a shorter amount of time. With the right tools and a leak like vault7 it is also easier for international enemies to tap into this information.

A lot of smart city solutions will not just consist of big data but also of IoT (internet of things) solutions. There are enough IoT devices on the consumer market and already in use by government (think of surveillance cameras you can easily connect with). Across the board it became very clear that security on IoT devices is of extremely poor quality.

On the 21st of October a lot of big websites like Twitter, Soundcloud & Spotify were offline in de U.S. due a DDoS attack on DNS provider Dyn. Unlike ‘normal’ DDoS attacks this one wasn’t hosted by computers but by IoT devices (Etherington & Conger, 2016). A DDoS attack is usually carried out a by a great number of devices that either purposefully or as a result of malware send a vast amount of requests to the same server. If the server receives more requests than it can administer it will go offline. The attacker used malware nicknamed ‘Mirai’ (Krebs, 2016). Mirai basically scans IoT devices and tries hardcoded standard authentication entries. If a login was successful Mirai forces the device to send a request (Gamblin, 2016). While the protection of computers gets upgraded with almost every update most IoT manufacturers are not focussed on security at all. An estimated 50% of IoT device manufactures will not be able to address threats caused by weak authentication practices by year-end 2018. And even though an estimated 20 billion devices will be connected by 2020, security will not be priority (Wagner, Perkins, Young, Singh, & Orans, 2015).

Sending requests is an example of what a hacker is able to do once he has got access to a device but essentially any correct code could be performed. If hackers could access the IoT devices used in smart cities they could obtain control and cause some serious damage. The use of digital weapons becomes more interesting, that interest will only grow when large sections of cities are automated.

Cyberwar When it comes to cyberwar I agree with the definition in the oxford dictionary:

“The use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes.” (Oxford, n.d.)

WikiLeaks is a great example of cyberwar in our current time. It is a platform that is known for leaking sensitive information about the government. WikiLeaks sometimes purposefully waits for the right moment to leak information for ‘maximum impact’. A month before the 2016 American elections WikiLeaks announced an upcoming leak that would contain emails from candidate Hillary Clinton from her time as secretary of state. Edward Snowden is among the people who believe that WikiLeaks’ curation has led to the loss of Hillary Clinton (Ratner, 2016). However this can be taken a lot further when actual objects and big data on citizens are not safely connected with the internet. As discussed before, hackers could obtain control over various objects within a smart city. Cyberwar could become a new method to keep citizens hostage within their own city until the enemy gets what he wants.

Possible outcomes Keeping the same cybersecurity strategy can result in a few outcomes:

The city’s ‘vulnerable spots’ will be targeted which can directly impact citizens. The ‘vulnerable spots’ of the city are not necessarily the parts that are least secure but the spots that can have a really big impact on the physical safety of the citizens within the city. If two nations are at war with each other making (self-driving) trains crash into each other or hacking into a hospital would be appealing tactics to use. Parts of the city that could endanger the physical safety of citizens should not have a (standard) security that is built once but a security team that actively defends these vulnerable spots and keep hackers out.

Attacks on an individual level or a marginalized group within a city will become easier through obtained data collected from citizens. Cyberwar does not have to concern two opposing nations. Multiple extremist groups are usually focussed on specific cultures and movements rather than countries. This means that movement leaders and communities with a certain beliefs or lifestyles are targeted. Hackers who are members of extremist groups can find individual people or a community based on collected data and the observed patterns. This could help extremist in terms of efficiency regarding their attacks.

The intensified surveillance might mean that attackers from within can be tracked and caught before they can harm citizens. All the data used to make the smart city what it is could serve as mass surveillance data for the government. This data could be used to help national security agencies with identifying enemies from within or suspicious behaviour with more accuracy. However, individuals with certain characteristics and behaviours can be targeted while they have not committed any crimes or have any alarming plans.

Loads of smart city features attract me but we are at a point where more convenient applications require more sensitive data. Both the government and citizens should think carefully about the long term results of different smart city solutions and security decisions. I believe that with the current tools the most amazing smart cities could be built. However, when it comes to security there should be more debate and certain goals should be set. We are not ready for smart cities. At least, not yet.

References

Anonymous. (2017, March 7). Vault 7: CIA Hacking Tools Revealed. Retrieved from WikiLeaks: https://wikileaks.org/ciav7p1/

Cavelty, M. D. (2013). Breaking the Cyber-Security Dilemma: Aligning Security Needs and Removing Vulnerabilities. Dordrecht: Springer Science+Business Media .

Etherington, D., & Conger, K. (2016, October 21). Large DDoS attacks cause outages at Twitter, Spotify, and other sites. Retrieved from Tech Crunch: https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/

Gamblin, J. (2016, October 3). Mirai Source Code. Retrieved from GitHub: https://github.com/jgamblin/Mirai-Source-Code/blob/6a5941be681b839eeff8ece1de8b245bcd5ffb02/mirai/bot/scanner.c#L123

Krebs, B. (2016, October 1). Source Code for IoT Botnet ‘Mirai’ Released. Retrieved from Krebs on Security: https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

Manville, C., Cochrane, G., Cave, J., Millard, J., Pederson, J. K., Thaarup, R. K., . . . Kotterink, B. (2014). Mapping Smart Cities in the EU. B-1047 Brussels: European Parlement.

Oxford. (n.d.). Cyberwar. Retrieved from Oxford Dictionaries: https://en.oxforddictionaries.com/definition/cyberwar

Ratner, P. (2016, November 9). Edward Snowden Called Out WikiLeaks Over Meddling in U.S. Election. Retrieved from Big Think: http://bigthink.com/paul-ratner/how-wikileaks-influenced-the-outcome-of-the-us-elections

Wagner, R., Perkins, E., Young, G., Singh, A., & Orans, L. (2015, December 9). Predicts 2016: Security for the Internet of Things. Retrieved from Gartner: https://www.gartner.com/document/code/293187?ref=grbody&refval=3316617